CyberWire Daily - Hacking in Iran? The Lazarus Group hires Trickbot. Election influence ops. Cryptowars updata. Ransomware in municipal and tribal governments. Patch Tuesday notes. Do it for State.
Episode Date: December 11, 2019Iran says it’s stopped a cyber attack, and that an insider was responsible for a major paycard exposure. Trickbot is now working for the Lazarus Group. Influence operations both foreign and domestic... concern British voters on the eve of the general election. The cryptowars are heating up again as the US Senate opens hearings on encryption. Pensacola’s cyberattack was ransomware, and so too apparently was the one that hit the Cherokee Nation. And do it for state. Emily Wilson from Terbium Labs with warnings about connected gifts for children. Guest is Kevin Lancaster from ID Agent on monitoring people affected by the OPM breach. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Iran says it stopped a cyber attack and that an insider was responsible for a major paycard exposure.
TrickBot is now working for the Lazarus Group.
Influence operations, both foreign and domestic,
concern British voters on the eve of the general election.
The crypto wars are heating up again
as the U.S. Senate opens hearings on encryption.
Pensacola's cyber attack was ransomware,
and so too, apparently, was the one that hit the Cherokee Nation.
And do it or state.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, December 11, 2019. Iranian officials say they've stopped a very big cyber attack,
U.S. News reports. But Tehran didn't call out the nation responsible
or say what attack they were referring to.
The New York Times independently reports
that the breach and exposure of some 15 million Iranian bank debit cards
followed last month's unrest in that country.
The number of accounts involved amounts to a fifth of the country's population.
Iran's information and telecommunications minister denied that the nation's banking
system's computers had been breached and said that the incident was the result of an insider threat,
what he described as a disgruntled contractor who had used his access to the accounts to expose them
in an extortion caper. The Times notes speculation that an unnamed nation-state adversary was behind the data theft.
The presumed goal of a nation-state would be to induce more instability into an Iranian society
already under stress induced by international sanctions.
Messages that represented themselves as being from the attackers were distributed over telegram,
with the initial communique reading,
We will burn the reputation of their banks the same way we torched their banks.
The burning is an allusion to the damage done to some 730 banks during last month's rioting.
So the stolen paycard data remains, for now, under investigation.
Security firm Cyber Reason today outlined a new use for TrickBot,
spreading anchor malware against a select set of targets.
Sentinel Labs, which has been tracking related activity, reported yesterday afternoon that the TrickBot criminal enterprise is now supplying North Korea's Lazarus Group.
Criminal groups have worked with state intelligence and security agencies before, but this transnational collaboration is relatively unusual. The more common pattern is the one observed in Russia,
where gangs operate at the sufferance of the state, under the tacit understanding that they'll
leave certain potential, usually domestic, victims alone, and that they'll undertake
occasional tasks as the organs direct. The TrickBot cooperation seems closer to a conventional business arrangement than it
does to a protection racket.
TrickBot has been adept at both code injection and quiet harvesting of desktop credentials.
ThreatPost warns that banks especially should look to their defenses.
The Lazarus Group has long been involved in financial crime as it meets taskings to redress North Korea's chronic sanctions-induced shortfalls,
and TrickBot began its career as financially focused malware.
As the United Kingdom prepares for tomorrow's election,
Business Insider cites experts who see disinformation circulated via WhatsApp as a problem for voters.
disinformation circulated via WhatsApp as a problem for voters.
Concern about the potential for foreign meddling remains high,
but not all mendacity comes from abroad.
The New York Times notes that supporters of the two largest political parties,
Labor and the Conservatives, have themselves apparently learned from the Russian disinformation playbook, operating misleading sites, trading in leaked documents, and fomenting malicious rumors.
What's new, of course, is that this is being done over the internet as opposed to the coffee
houses and newspapers that would have been its vehicles in, say, the late 18th century.
The U.S. Senate Judiciary Committee's hearings on encryption policy opened today.
Observers see the balance in the crypto wars tilting against
end-to-end encryption. Facebook is hanging tough for the pro-encryption side, but The Telegraph
thinks the social network is now in a fight it will find it difficult to win. That fight is
proceeding on both sides of the Atlantic, and those in favor of limiting the reach and effectiveness
of encryption, typically law enforcement agencies who see their work as a contribution
to what former FBI Director James Comey called ordered liberty,
have gained momentum by arguing that while privacy is all well and good,
encryption has too often played a role in enabling child abuse and human trafficking.
Back in 2015, the OPM breach captured the attention of the security community
and the public at large
for both its size and the scope of information taken.
In the years since, the OPM breach served as a case study
for those monitoring the information gathered from the victims.
Kevin Lancaster is General Manager of Security Solutions at Kaseya and CEO of ID Agent.
He was among those who were brought in to remediate the breach
from the outset. So when you have an incident, a breach, the first focus, the first goal is always,
you know, identify what happened, what was extracted, and then, you know, normalize and
secure, right? So you want to, you know, really respond quickly and understand what happened.
It's always chaotic when you're dealing with an incident, but something of that magnitude, it's obviously polarized. It's
compounded by the fact it's the U.S. federal government, and it's going to make the news
just about every corner of the globe. So there's always that period where it's just,
it's really intense. And then you get into program launch, and you often, you do, you reserve 800 numbers and notifications for those that were impacted by the incident.
But again, because of the enormity and how much speculation there was, the government, OPM, and others decided to release the call center 800 numbers.
And so we went from really strong response times, maybe two, three, four minutes in the call center to something like three hours, four hours. You know, as we're recording this, we're coming up on 2020,
and the OPM breach happened back in 2015. So I think it's sort of unique in that we have
the ability to have that distance in the rearview mirror between now and when it happened.
What are some of the take-homes for you now that you've had time to take it all in
to analyze what has happened in your own mind?
When you look back on it,
what are some of the lessons you take away from it?
Most of the large salacious breaches
that you have out there,
unless you're dealing with a very persistent,
well-funded adversary,
most of them could have been mitigated with layers,
right? Adding in multi-factor to access your O365. So I think part of the takeaway is that,
you know, maybe it was a funding challenge for OPM, FedGov in particular. There were bare
minimums that they could have been doing five years ago, they're bare minimums that organizations could be doing today
to mitigate 70%, 80% of the attacks that they see on a daily basis.
And so one of the disconcerting things in all this is that
you still see statistics out there about 75%, 80% of people
still use the same or derivation of the same password.
And the broader population, 4% or 5% of the broader population,
are using a password manager or some type of multi-factor
or single sign-in in anything they sign into.
So it just tells you that we still have a long way to go
to make these bare minimums standards.
That is, I think, part of the positive byproducts
out of some of these incidents,
looking at what NIST is coming out with, I think, part of the positive byproducts out of some of these incidents, you know, looking what NIST is coming out with, these frameworks and their statements on passwords and password usage complexities.
I think looking back, it's like, wow, that was five years ago.
A lot of things have changed and a lot of things haven't changed.
And so there's good and bad, I guess, in hindsight.
That's Kevin Lancaster. He's general manager of security solutions at Kaseya and CEO of ID Agent.
The city of Pensacola confirmed yesterday that the cyber attack it sustained was indeed a
ransomware incident, WEAR-TV reports. That's what it looked like at first. And in the U.S.,
at any rate, state and local governments have become favorite targets of ransomware.
Nor should tribal governments be forgotten either.
The Eastern Band of the Cherokee Nation also sustained a ransomware attack,
according to the Charlotte Observer, one that hit sometime Monday.
Tribal authorities say they've contained the infestation,
but that they've also powered down their servers pending a full recovery.
Services are being restored as soon as that becomes possible.
Cherokee police have one suspect in custody.
In a speech posted on Facebook, Principal Chief Richard Sneed said that a member of the tribe,
employed by the tribal government, is believed to have carried out the attack.
Chief Sneed declared a state of emergency
for the Eastern Band, which is also working with the FBI and other federal agencies.
They're treating the incident as an act of domestic terrorism.
Yesterday was Patch Tuesday, and Microsoft issued 16 security updates, three of which closed remote
code execution vulnerabilities. It's also the end, for real and forever, of support for Windows 7,
and Microsoft says it's going to display a big full-screen message to the dead-enders on January 15th.
Your Windows 7 PC is out of support. Read and heed, dead-enders.
Adobe also patched, fixing 17 issues in Photoshop, Reader, and Brackets.
And Google updated Chrome as it begins rolling out a feature that will warn users if they've got an exposed password.
And finally, remember the case last year of the guy who attempted to seize control of the domain name DoItForState at gunpoint
and was thwarted when he himself was shot in the bungled attempt to make the
legitimate owner transfer the rights to a different GoDaddy account. Mr. Sherman Hopkins Jr. of Cedar
Rapids, Iowa, pistol-whipped and then wounded the domain owner, but in the ensuing tussle,
the victim, Ethan Dio, got the gun away from Mr. Hopkins and, in turn, shot him. Both men have
recovered and Mr. Hopkins is now a guest of the correctional system.
As you might imagine, Mr. Hopkins was not the mastermind behind the idea.
No, that would have been his cousin, Mr. Rossi LaRothio Adams II, known as Polo.
Mr. Adams, an Iowa State alumnus and proprietor of an influencer site
devoted to kegger culture around the university,
felt his own enterprise would be more successful if only it had the slogan Do It For State embedded in its domain.
Anyhoo, the U.S. Attorney for the Northern District of Iowa on Monday announced that Mr. Adams would serve 14 years
on one count of conspiracy to interfere with commerce
by force, threats, and violence?
Well, if you've got to do time, do it for state.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, it's always great to have you back.
We are heading into the holiday season here.
It is upon us.
And you had some things you wanted to remind listeners about when it comes to connected gifts.
I do.
You know, I think anyone who's spoken to me in the last few years has heard me express some of my concerns about the amount of child data that's showing up in some of these
criminal marketplaces and that we need to be thinking critically about the way that children
are having their information captured or exploited by criminals. And I think it's a good time to
remind people that while you should be cautious about gifting any kind of connected device,
and I think my colleagues in the cybersecurity space would agree, you should be
particularly careful when you think about connected devices for children. And by connected devices,
I mean anything that is going to be able to collect data on your child or the child you're
gifting it to that might require some sort of account creation. These devices may seem harmless
and they may go entirely uncorrupted by cybercriminals,
but the more opportunities that we have
to collect data on children,
the more viable a consumer class they become effectively.
And if we're kind of collecting data on them
from a very early age,
that's more data that can be exposed eventually. It's more data
available to cyber criminals. It's more data available to marketing firms. And children
aren't in a position to make informed, consensual decisions about their data collection and their
data usage. And so we need to be careful in the ways that we do that for them.
So in general, when it comes to collecting data about children,
are they in a more
protected category than adults are? They should be. And in theory, they are, right? We have
disclaimers on websites or on applications requiring that if you are under the age of 13,
for example, you need to have a parent's consent to use a website or to use an app. That's great in theory.
In practice, there are ways to get around that, of course, whether from older children who are
going to simply say, yes, I have parental consent and this is all fine, I'm allowed to use this.
Or it may be that parents do consent and that parents don't understand the implications of
consenting to a child using,
say, a tablet that's specifically designed for children or a smartwatch that's supposed to
encourage physical activity. Really great ideas, really great things to encourage learning, to
encourage fitness and health. These are good ideas, but we have to stop and think critically about
what information is being collected.
Is that information associated with a child or a parent?
How is that information being used by the company that has developed this technology or this tool or this toy?
Who are they sharing that information with when they're sharing that information with third parties?
Is that information associated with a parent or a child? There are a lot of
questions here that we need to be asking ourselves critically about the things that we,
as informed consenting adults, are using with the technology that we rely on every day.
But we need to be thinking that way about children as well, because we don't always know what we're
going to be opting our kids into. And we also don't know if the companies that are receiving
this data are using
it or limiting it in the way that they're supposed to. Yeah, that's a really interesting insight. I
mean, it strikes me that this generation coming up is perhaps the first that has this. It puts
them at risk of having their data collected from the very beginning of their lives. From the very beginning, whether collected by some of these devices, as we're describing,
or it may be that parents are opting them into that collection.
When you think about, of course, you have a child, you're very excited about that,
you want to share that with people.
And so you share photos, you share names and information,
you share the time that they were born and the day
that they were born, you track how much they love a certain toy or how much they enjoy a certain
food. And all of that information being shared, particularly on open social media networks,
for example, that information can be tracked. You know, you have to think about the fact that
you're not just sharing information with your friends or with your family.
You're also opting your children into what is, quite frankly, a broader surveillance network.
And when we think about how that might develop over the next 10, 15, 20 years as those children come of age, we should be cautious to say the least.
Yeah, I can really see that being a tough situation for parents where the functionality of that hot toy at Christmastime may rely on its connectivity.
It's connecting with other kids or being able to share information online.
If you disable that, then you can see there being a lot of peer pressure.
That's the whole point of the device.
I think there are a couple of things to address there. One is that it is understandable and reasonable to want to get children toys or devices that are going to allow them to enjoy all of the benefits of technology.
It's very exciting to read a book about a dinosaur and then go watch a YouTube clip of what scientists have imagined that dinosaur
might have looked like and moved like, right? It's really exciting to be able to connect those
kinds of resources. And for children who are growing up in a device-reliant world, in a
technology-reliant world, it's important to develop those skills just as we develop language skills or
writing skills. The flip side of that is that
there are ways that parents can encourage these children to enjoy some of those devices,
maybe with a little bit more protection. Maybe don't use your child's real name. If you need
to create an account for a device, for example, use an account generator. Use something that is
not affiliated with your child or your family in any way,
which is also a fantastic opportunity to teach children about how to be safe online.
Yeah.
All right.
Well, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.